Search
Total
49350 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10297 | 1 Jenkins | 1 Sametime | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Sametime Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-10298 | 1 Jenkins | 1 Koji | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Koji Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2018-7340 | 1 Cisco | 1 Duo Network Gateway | 2020-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| Duo Network Gateway 1.2.9 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers. | |||||
| CVE-2019-10299 | 1 Jenkins | 1 Cloudcoreo Deploytime | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins CloudCoreo DeployTime Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-10947 | 1 Deltaww | 1 Cncsoft Screeneditor | 2020-10-02 | 6.8 MEDIUM | 7.8 HIGH |
| Delta Industrial Automation CNCSoft, CNCSoft ScreenEditor Version 1.00.88 and prior. Multiple stack-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files, allowing an attacker to remotely execute arbitrary code. This may occur because CNCSoft lacks user input validation before copying data from project files onto the stack. | |||||
| CVE-2019-10302 | 1 Jenkins | 1 Jira-ext | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins jira-ext Plugin 0.8 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. | |||||
| CVE-2019-10951 | 1 Deltaww | 1 Cncsoft Screeneditor | 2020-10-02 | 6.8 MEDIUM | 7.8 HIGH |
| Delta Industrial Automation CNCSoft, CNCSoft ScreenEditor Version 1.00.88 and prior. Multiple heap-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files, allowing an attacker to remotely execute arbitrary code. There is a lack of user input validation before copying data from project files onto the heap. | |||||
| CVE-2019-10303 | 1 Jenkins | 1 Azure Publishersettings Credentials | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Azure PublisherSettings Credentials Plugin 1.2 and earlier stored credentials unencrypted in the credentials.xml file on the Jenkins master where they could be viewed by users with access to the master file system. | |||||
| CVE-2019-10316 | 1 Jenkins | 1 Aqua Microscanner | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Aqua MicroScanner Plugin 1.0.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. | |||||
| CVE-2019-10318 | 1 Jenkins | 1 Azure Ad | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master where it could be viewed by users with access to the master file system. | |||||
| CVE-2019-10249 | 1 Eclipse | 2 Xtend, Xtext | 2020-10-02 | 6.8 MEDIUM | 8.1 HIGH |
| All Xtext & Xtend versions prior to 2.18.0 were built using HTTP instead of HTTPS file transfer and thus the built artifacts may have been compromised. | |||||
| CVE-2019-10145 | 1 Redhat | 1 Rkt | 2020-10-02 | 6.9 MEDIUM | 7.7 HIGH |
| rkt through version 1.30.0 does not isolate processes in containers that are run with `rkt enter`. Processes run with `rkt enter` do not have seccomp filtering during stage 2 (the actual environment in which the applications run). Compromised containers could exploit this flaw to access host resources. | |||||
| CVE-2019-10329 | 1 Eficode | 1 Influxdb | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins InfluxDB Plugin 1.21 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-10330 | 1 Gitea | 1 Gitea | 2020-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins Gitea Plugin 1.1.1 and earlier did not implement trusted revisions, allowing attackers without commit access to the Git repo to change Jenkinsfiles even if Jenkins is configured to consider them to be untrusted. | |||||
| CVE-2019-10164 | 4 Fedoraproject, Opensuse, Postgresql and 1 more | 4 Fedora, Leap, Postgresql and 1 more | 2020-10-02 | 9.0 HIGH | 8.8 HIGH |
| PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account. | |||||
| CVE-2019-10347 | 1 Jenkins | 1 Mashup Portlets | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Mashup Portlets Plugin stored credentials unencrypted on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-10350 | 1 Jenkins | 1 Port Allocator | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10351 | 1 Jenkins | 1 Caliper Ci | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Caliper CI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10915 | 1 Siemens | 2 Sinetplan, Tia Administrator | 2020-10-02 | 4.6 MEDIUM | 7.8 HIGH |
| A vulnerability has been identified in TIA Administrator (All versions < V1.0 SP1 Upd1). The integrated configuration web application (TIA Administrator) allows to execute certain application commands without proper authentication. The vulnerability could be exploited by an attacker with local access to the affected system. Successful exploitation requires no privileges and no user interaction. An attacker could use the vulnerability to compromise confidentiality and integrity and availability of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2019-10162 | 2 Opensuse, Powerdns | 2 Leap, Authoritative | 2020-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.10, 4.0.8 allowing an authorized user to cause the server to exit by inserting a crafted record in a MASTER type zone under their control. The issue is due to the fact that the Authoritative Server will exit when it runs into a parsing error while looking up the NS/A/AAAA records it is about to use for an outgoing notify. | |||||
| CVE-2019-10355 | 2 Jenkins, Redhat | 2 Script Security, Openshift Container Platform | 2020-10-02 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of type casts allowed attackers to execute arbitrary code in sandboxed scripts. | |||||
| CVE-2019-10356 | 2 Jenkins, Redhat | 2 Script Security, Openshift Container Platform | 2020-10-02 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions allowed attackers to execute arbitrary code in sandboxed scripts. | |||||
| CVE-2019-10980 | 1 Laquisscada | 1 Scada | 2020-10-02 | 6.8 MEDIUM | 7.8 HIGH |
| A type confusion vulnerability may be exploited when LAquis SCADA 4.3.1.71 processes a specially crafted project file. This may allow an attacker to execute remote code. The attacker must have local access to the system. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). | |||||
| CVE-2019-10201 | 1 Redhat | 2 Keycloak, Single Sign-on | 2020-10-02 | 5.5 MEDIUM | 8.1 HIGH |
| It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information. | |||||
| CVE-2019-10943 | 1 Siemens | 22 Simatic Et 200sp Open Controller Cpu 1515sp Pc, Simatic Et 200sp Open Controller Cpu 1515sp Pc2, Simatic Et 200sp Open Controller Cpu 1515sp Pc2 Firmware and 19 more | 2020-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions <= 20.8), SIMATIC ET200SP (incl. SIPLUS variants) Open Controller CPU 1515SP PC (All versions), SIMATIC ET200SP (incl. SIPLUS variants) Open Controller CPU 1515SP PC2 (All versions), SIMATIC S7 PLCSIM Advanced (All versions <= V3.0), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions <= V4.4), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants), excluding CPU 1518 MFP (and related SIPLUS variant) (All versions <= V2.8.1), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants), excluding CPU 1518-4 PN/DP and CPU 1518 MFP (and related SIPLUS variant) (All versions <= V2.8.1), SIMATIC S7-1500 Software Controller (All versions <= V20.8). An attacker with network access to port 102/tcp could potentially modify the user program on the PLC in a way that the running code is different from the source code which is stored on the device. An attacker must have network access to affected devices and must be able to perform changes to the user program. The vulnerability could impact the perceived integrity of the user program stored on the CPU. An engineer that tries to obtain the code of the user program running on the device, can receive different source code that is not actually running on the device. No public exploitation of the vulnerability was known at the time of advisory publication. | |||||
| CVE-2019-10960 | 1 Zebra | 16 220xi4, 220xi4 Firmware, Zt220 and 13 more | 2020-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| Zebra Industrial Printers All Versions, Zebra printers are shipped with unrestricted end-user access to front panel options. If the option to use a passcode to limit the functionality of the front panel is applied, specially crafted packets could be sent over the same network to a port on the printer and the printer will respond with an array of information that includes the front panel passcode for the printer. Once the passcode is retrieved, an attacker must have physical access to the front panel of the printer to enter the passcode to access the full functionality of the front panel. | |||||
| CVE-2020-12715 | 1 Rainbowfishsoftware | 1 Pacsone Server | 2020-10-02 | 6.5 MEDIUM | 8.8 HIGH |
| RainbowFish PacsOne Server 6.8.4 has Incorrect Access Control. | |||||
| CVE-2019-11270 | 1 Pivotal Software | 3 Application Service, Cloud Foundry Uaa, Operations Manager | 2020-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess. | |||||
| CVE-2019-10982 | 1 Deltaww | 1 Cnssoft Screeneditor | 2020-10-02 | 6.8 MEDIUM | 7.8 HIGH |
| Delta Electronics CNCSoft ScreenEditor, Versions 1.00.89 and prior. Multiple heap-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files, allowing an attacker to remotely execute arbitrary code. There is a lack of user input validation before copying data from project files onto the heap. | |||||
| CVE-2019-10977 | 1 Mitsubishielectric | 2 Qj71e71-100, Qj71e71-100 Firmware | 2020-10-02 | 7.8 HIGH | 7.5 HIGH |
| In Mitsubishi Electric MELSEC-Q series Ethernet module QJ71E71-100 serial number 20121 and prior, an attacker could send crafted TCP packets against the FTP service, forcing the target devices to enter an error mode and cause a denial-of-service condition. | |||||
| CVE-2019-10981 | 1 Schneider-electric | 2 Citectscada, Scada Expert Vijeo Citect | 2020-10-02 | 2.1 LOW | 7.8 HIGH |
| In Vijeo Citect 7.30 and 7.40, and CitectSCADA 7.30 and 7.40, a vulnerability has been identified that may allow an authenticated local user access to Citect user credentials. | |||||
| CVE-2019-11243 | 2 Kubernetes, Netapp | 2 Kubernetes, Trident | 2020-10-02 | 4.3 MEDIUM | 8.1 HIGH |
| In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig() | |||||
| CVE-2019-7177 | 1 Pexip | 1 Pexip Infinity | 2020-10-02 | 9.0 HIGH | 7.2 HIGH |
| Pexip Infinity before 20.1 allows Code Injection onto nodes via an admin. | |||||
| CVE-2018-10585 | 1 Pexip | 1 Pexip Infinity | 2020-10-02 | 7.8 HIGH | 7.5 HIGH |
| Pexip Infinity before 18 allows remote Denial of Service (XML parsing). | |||||
| CVE-2020-5786 | 1 Teltonika-networks | 2 Trb245, Trb245 Firmware | 2020-10-01 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery in Teltonika firmware TRB2_R_00.02.04.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. | |||||
| CVE-2020-3141 | 1 Cisco | 128 Asr1001-hx, Asr1001-hx-rf, Asr1001-x-rf and 125 more | 2020-10-01 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple vulnerabilities in the web management framework of Cisco IOS XE Software could allow an authenticated, remote attacker with read-only privileges to elevate privileges to the level of an Administrator user on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2017-14123 | 1 Zohocorp | 1 Manageengine Firewall Analyzer | 2020-10-01 | 9.0 HIGH | 8.8 HIGH |
| Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upload vulnerability in the "Group Chat" section. Any user can upload files with any extensions. By uploading a PHP file to the server, an attacker can cause it to execute in the server context, as demonstrated by /itplus/FileStorage/302/shell.jsp. | |||||
| CVE-2019-10967 | 1 Emerson | 2 Ovation Ocr400, Ovation Ocr400 Firmware | 2020-10-01 | 6.5 MEDIUM | 8.8 HIGH |
| In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a stack-based buffer overflow vulnerability in the embedded third-party FTP server involves improper handling of a long file name from the LIST command to the FTP service, which may cause the service to overwrite buffers, leading to remote code execution and escalation of privileges. | |||||
| CVE-2019-10311 | 1 Jenkins | 1 Ansible Tower | 2020-10-01 | 4.0 MEDIUM | 8.8 HIGH |
| A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2015-3655 | 1 Arubanetworks | 1 Clearpass | 2020-10-01 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote attackers to hijack the authentication of administrators by leveraging improper enforcement of the anti-CSRF token. | |||||
| CVE-2019-10301 | 1 Jenkins | 1 Gitlab | 2020-10-01 | 4.0 MEDIUM | 8.8 HIGH |
| A missing permission check in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-10339 | 1 Jenkins | 1 Jx Resources | 2020-10-01 | 4.0 MEDIUM | 8.8 HIGH |
| A missing permission check in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed users with Overall/Read access to have Jenkins connect to an attacker-specified Kubernetes server, potentially leaking credentials. | |||||
| CVE-2019-10313 | 1 Jenkins | 1 Twitter | 2020-10-01 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Twitter Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-10348 | 1 Jenkins | 1 Gogs | 2020-10-01 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10380 | 1 Jenkins | 1 Simple Travis Pipeline Runner | 2020-10-01 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Simple Travis Pipeline Runner Plugin 1.0 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code. | |||||
| CVE-2019-1947 | 1 Cisco | 2 Asyncos, Email Security Appliance | 2020-10-01 | 7.8 HIGH | 8.6 HIGH |
| A vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause the CPU utilization to increase to 100 percent, causing a denial of service (DoS) condition on an affected device. The vulnerability is due to improper handling of email messages that contain large attachments. An attacker could exploit this vulnerability by sending a malicious email message through the targeted device. A successful exploit could allow the attacker to cause a permanent DoS condition due to high CPU utilization. This vulnerability may require manual intervention to recover the ESA. | |||||
| CVE-2020-25221 | 1 Linux | 1 Linux Kernel | 2020-10-01 | 7.2 HIGH | 7.8 HIGH |
| get_gate_page in mm/gup.c in the Linux kernel 5.7.x and 5.8.x before 5.8.7 allows privilege escalation because of incorrect reference counting (caused by gate page mishandling) of the struct page that backs the vsyscall page. The result is a refcount underflow. This can be triggered by any 64-bit process that can use ptrace() or process_vm_readv(), aka CID-9fa2dd946743. | |||||
| CVE-2019-10284 | 1 Jenkins | 1 Diawi Upload | 2020-10-01 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Diawi Upload Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10285 | 1 Jenkins | 1 Minio Storage | 2020-10-01 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Minio Storage Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2020-8253 | 1 Citrix | 1 Xenmobile Server | 2020-10-01 | 5.0 MEDIUM | 7.5 HIGH |
| Improper authentication in Citrix XenMobile Server 10.12 before RP2, Citrix XenMobile Server 10.11 before RP4, Citrix XenMobile Server 10.10 before RP6 and Citrix XenMobile Server before 10.9 RP5 leads to the ability to access sensitive files. | |||||